max rsa key length, sym. cipher and digest recommendations ?

Phooraalai phooraalai at googlemail.com
Tue Jan 7 13:54:19 CET 2014


Hello Guus,

I now have a simple tinc vpn setup with a rsa keylength of 8192 bits,
aes-256-cbc and sha512.

Is there a way to measure throughput in tinc besides me watching the
processes in "top" while I do my backups ? Usually my dsl connection is
the bottleneck when doing backups. That way I could evaluate if I will
keep sha512 or use sha1 just as you suggested. I know that I can compare
"openssl speed sha1" and "openssl speed sha512", but that won't tell me
what tinc is doing with it.

Debian wheezy has tinc 1.0.23, but ubuntu 12.04 is behind at 1.0.16 and
ubuntu 13.10 is at 1.0.21. Is there a tinc apt repository which carries
the sources so that I could build deb packages ?

BR
P.

> On Tue, Jan 07, 2014 at 10:45:04AM +0100, Phooraalai wrote:
> 
>> I understand that I can use the openssl ciphers and digests available on
>> my systems, i.e. those in the list generated by "openssl
>> list-cipher-commands" and "openssl list-message-digest-algorithms".
> 
> That is correct.
> 
>> I want to create a admin vpn network between my servers and my
>> workplace. Network throughput is not a big issue, I am using ssh and the
>> cli, however I would also do incremental rsync backups over this vpn.
>>
>> What are the recommendations for rsa key lengths, the cipher and the
>> digest algo ?
> 
> The default values are already pretty good (2048 bits RSA keys, Blowfish-CBC,
> and SHA1).
> 
>> Blowfish as the symmetric cipher seems ok to me. Would aes-256-cbc
>> benefit from the aes acceleration in modern cpus ?
>>
>> Would cipher=aes-256-cbc work in my host configuration files ?
> 
> Yes, that would work.
> 
>> The documentation ( man 5 tinc.conf ) says that sha1 is the default
>> digest. What about using sha512? Any huge performance penalty that I
>> would have to know about ?
>>
>> Would digest=sha512 work in my host configuration files ?
> 
> That would work, but SHA512 is twice as slow as SHA1. If you are using the AES
> cipher on a CPU which accelerates AES, then the digest algorithm will be the
> largest consumer of CPU time, so if you don't want to lose the benefit of AES
> you should stick to SHA1.
> 
>> What is the max rsa key length supported by tinc when running tincd -n
>> NETNAME -KXXXX to generate the asym. rsa key? 4096, 8192, 16384 ?
> 
> Any length up to 8192 bits is supported by tinc. You also don't have to use
> powers of two, for example you can also use 6000 bits keys.
> 
>> Is there somewhere a write up of the steps to build my own .deb packages
>> for debian wheezy and ubuntu 12.04 ?
> 
> The easiest way is to run "apt-get source tinc" to get the source of the tinc
> package, then to make any modifications you want, and then run "debuild"
> (debuild is part of the devscripts package).
> 
> 
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> 



More information about the tinc mailing list